You can now configure Messaging Server so that it knows the Directory Server is able to retrieve cleartext passwords. This makes it safe for Messaging Server to advertise APOP, CRAM-MD5, and DIGEST-MD5:
configutil -o sasl.default.ldap.has_plain_passwords -v 1
You can disable these challenge/response SASL mechanisms by setting the value to 0.
Existing users cannot use APOP, CRAM-MD5, or DIGEST-MD5 until their password is reset or migrated (see to Transition Users).
Note that MMP has an equivalent option: CRAMs.